Password Exposure Elimination for Digital Signature Coupling with a Host Identity

1. A method of authenticating a host-identification mapping extension included in a digital certificate, the digital certificate, issued and signed by a specific certification authority, the method comprising: assigning a trust value for each certification authority included in a set of certification authorities, said trust value being based on a corresponding organization responsible for operating said certification authority, and said trust value corresponding to one of the following values: “not trusted”, “trusted”, or “highly trusted”; receiving said digital certificate containing said host-identification mapping extension, said host-identification mapping extension containing a plurality of identification attributes, including a host name, a subject identification name and optionally a proof of identity possession entry; if the trust value assigned to the specific certification authority issuing said digital certificate is “highly trusted” and said host identification mapping extension contains a corresponding host name for a host system to be accessed, then honoring said host-identification mapping extension regardless of whether said proof of identity possession data entry appears in said host-identification mapping extension; and if the trust value assigned to said certification authority is “trusted”, then said host-identification mapping extension is certified only if said proof of identity possession data entry appears in said host-identification mapping extension, and contains valid information as verified by a host corresponding to said host name included in said plurality of identification attributes.

2. The method of claim 1 , wherein said digital certificate is an X.509 v3 digital certificate.

3. The method of claim 1 , wherein: if said trust value assigned to said certification authority is “not trusted”, then said host-identification mapping extension is not honored regardless of whether said proof of identity possession data appears in said host-identification mapping extension.

4. The method of claim 1 , wherein said proof of identity possession entry further comprises a password.

5. The method of claim 1 wherein the trust value assigned to the certification authority issuing said digital certificate is specified independently of said certificate.

6. A storage medium encoded with a machine readable computer program code for authenticating a host-identification mapping extension included in a digital certificate, issued and signed by a specific certification authority, the storage medium including instructions for causing a computer to implement a method, the method comprising: assigning a trust value for each certification authority included in a set of certification authorities said trust value being based on a corresponding organization responsible for operating said certification authority, and said trust value corresponding to one of the following values: “not trusted”, “trusted”, or “highly trusted”; receiving said digital certificate containing said host-identification mapping extension, said host-identification mapping extension containing a plurality of identification attributes, a subject identification name, said subject identification name including a host name, a subject identification name and optionally a proof of identity possession entry; if the trust value assigned to the specific certification authority issuing said digital certificate is “highly trusted” and said host identification mapping extension contains a corresponding host name for a host system to be accessed, then honoring said host-identification mapping extension regardless of whether said proof of identity possession data entry appears in said host-identification mapping extension; and if the trust value assigned to said certification authority is “trusted”, then said host-identification mapping extension is certified only if said proof of identity possession data entry appears in said host-identification mapping extension, and contains valid information as verified by a host corresponding to said host name included in said plurality of identification attributes.

7. The storage medium of claim 6 , wherein said digital certificate is an X.509 v3 digital certificate.

8. The storage medium of claim 6 , wherein: if said trust value assigned to said certification authority is “not trusted”, then said host-identification mapping extension is not honored regardless of whether said proof of identity possession entry appears in said host-identification mapping extension.

9. The storage medium of claim 6 , wherein said proof of identity possession entry further comprises a password.

10. The storage medium of claim 6 , wherein the trust value assigned to the certification authority issuing said digital certificate is specified independently of said certificate.